encrypted tapes (was Re: Papers about "Algorithm hiding" ?)

astiglic at okiok.com astiglic at okiok.com
Fri Jun 10 15:16:00 EDT 2005


> astiglic at okiok.com wrote:
>> "Ben Laurie wrote"
>>
>>>astiglic at okiok.com wrote:
>>>
>>>>Example:
>>>>   Cash_Ur_check is in the business of cashing checks.  To cash a
>>>> check,
>>>>they ask you for "sensitive information" like SIN, bank account number,
>>>>drivers licence number, etc.   They use the information to query
>>>>Equifax or the like to see if the person has a good credit rating, if
>>>>the rating is o.k. they cash the check.  They keep all the information
>>>>in the database, because if the client comes back 2 months later, they
>>>>will send the same query to Equifax to see if the credit rating hasn't
>>>>changed.
>>>>These sensitive information are "indexes" to external databases (but
>>>>Cash_Ur_check doesn't directly connect to these other databases).
>>>>Cash_Ur_check doesn't need to use these data as indexes.  Cash_Ur_check
>>>>can use first/middle/last name of person as an index, or attribute some
>>>>random number to the person, or something else, they should not use the
>>>>SIN to identify a person.  They should not do searches on SIN to find a
>>>>person given his SIN.
>>>
>>>Sure, but Equifax should.
>>
>>
>> No, they shouldn't!  If you think they should, you are missinformed.  At
>> least in Canada, the Privacy Act protects the SIN, Equifax cannot demand
>> it.
>
> I am just reading what you've written: "To cash a check, they ask you
> for "sensitive information" like SIN, bank account number, drivers
> licence number, etc.   They use the information to query Equifax or the
> like"

They'll ask for it, but you don't have to give it.  They can collect it,
but they don't have to do searches on it.
It's the typical ask for SIN if the user gives it use it (as in Adam
Shostack's example with cell phone), but if they don't then ask for 2
other identity cards.  In most cases, I don't have to give my SIN, but
almost everybody asks for it.

Equifax will always ask for the SIN but they don't have the right to
demand it.

http://www.piac.ca/newpage91.htm

"Equifax suggests that to prevent these inaccuracies, consumers should
always give their full name and SIN number on application forms (this
facilitates updating of files and prevents confusion of two files).
However, this solution to the problem does not take into account that
consumers have a valid interest in protecting their privacy with respect
to their SIN."

The problem is with forms that make it look like you have to give your
SIN, when in fact the law says you don't have to.  Providing other
identification can be troublesome, so allot of people just end up giving
their SIN.

--Anton


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list